hashicorp/vault-action

Code: 403 signing digest: transit: failed to sign payload: Error making API request

Closed this issue · 4 comments

I am getting a 403 permission error when I would like to sign an image with cosign and vault with transit engine in GitHub action. I did not face any issues while authenticating Vault from our GitHub.

What I am doing wrong? It seems, it's a policy issue but what is wrong with below policy?

URL: PUT https://xxx/v1/transit/sign/cosign/sha2-256
Code: 403. Errors:
* 1 error occurred:
	* permission denied
vault policy write docker-action - <<EOF
path "transit/*" {
  capabilities = [ "create","read","update","list" ]
}
EOF

vault write auth/github-oidc/role/docker-action -<<EOF
{
    "role_type": "jwt",
    "user_claim": "workflow",
    "bound_subject": "",
    "bound_audiences": "https://github.com/xxx",
    "bound_claims_type": "glob",
    "policies": "docker-action",
    "ttl": "1h"
}
EOF

This is the step in action

    - name: Sign image with a key
      if: ${{ inputs.sign }}
      run: |
        cosign sign --key hashivault://cosign \
          -a "repo={{ github.repository }}" \
          -a "repo={{ github.workflow }}" \
          -a "ref={{ github.sha }}" \
          ${{ inputs.images }}@${{ env.IMAGE_DIGEST }}
      env:
        VAULT_ADDR: https://vault.internal.com
        VAULT_TOKEN: ${{ env.VAULT_TOKEN }}
      shell: bash

The policy looks good to me. Please can you also add the vault-action step configuration? Perhaps there is a mismatch in namespaces? And does the VAULT_ADDR match up between auth and cosign? And last thing I can think of off the top of my head - is the VAULT_TOKEN env definitely getting populated? (Value should show as *** for the step in the github action logs)

This is the vault step. As far as I understood, GitHub can able to authenticate Vault. Do you see any issue in the role itself? Should I use bound_claims with the repository?

image

    - name: Import Secrets
      uses: hashicorp/vault-action@v2.4.3
      if: ${{ inputs.sign }}
      id: secrets
      with:
        exportEnv: false
        exportToken: true
        url: https://vault.internal.com
        namespace: devsup
        path: github-oidc
        method: jwt
        role: docker-action

Thanks for those details, I think it is Vault namespaces tripping you up. In the vault-action config, you're logging in within a namespace: namespace: devsup. Then cosign is trying to use transit in the root namespace, because there's no namespace config, and that fails because a child namespace can't access its parent namespace by default.

I had a quick look at the Vault client in cosign, and it looks like it uses the Vault SDK, so you should be able to fix this by adding VAULT_NAMESPACE: devsup to the env map of the cosign step.

@tomhjp it's worked, really thanks a lot for your kind support.